2) The NIST has a doc here http://csrc.nist.gov/publications/drafts.html called "Special Publication 800-44, Guidelines on Securing Public Web Servers." The NSA has guides on iPlanet and Apache here http://nsa1.www.conxion.com/support/download.htm. 3) There's a guide due out in October from these good people http://www.owasp.org/. There are a couple of recent books that look good, but I've just received them so I can't comment in detail - _Hacking Web Applications Exposed_ and _Web Hacking: Attacks and Defense_. Regards, Michael > -----Original Message----- > From: Steven Walker [mailto:swalker7799at_private] > Sent: Monday, September 16, 2002 12:05 PM > To: Pen-Test Security Focus > Subject: Application & Iplanet/Apache web server vulnerability and > penetration testing > Importance: High > > > Dear Group, > > I have been given a project to perform web application > vulnerability testing > on iPlanet and Apache web servers. The servers run on > NT/2000, Solaris > 2.7-8, (iPlanet) and Linux, Solaris (Apache). > > In house tools are Wisker, WHArenal, NMAP, NESSUS. I have > only used NMAP > and NESSUS so far for firewall and internal network testing. > > I am at a loss at where to start the process and am trying to > determine if > additional tools are needed. > > 1. I would obviously harden the web server OS's by closing unnecessary > ports, ensuring proper patch levels, getting rid of rhost and > equiv files, > enforcing password policies, limiting accounts, use ssh for > administration, > etc. > > 2. I don't know what to do on the web servers other than > delete example > scripts and ensure default passwords are changed to stronger > ones. Are > there any links that you know of that would provide a > checklist of iPlanet > and Apache vulnerability checks. Are there any recommended > tools that can > automate this process? Any suggestions on iPlanet and Apache > security? > > 3. Regarding web applications, I will be expected to test applications > before they go into production. I know to test for buffer > overflows buy > inputting non expected characters into fields. Beyond that > what advice > could you give or methodology could you direct me too. Jobs > are tough to > find out there, I could use your help in keeping this one. > Thanks for all > of you who will help me. > > Sincerely > > Steven M. Walker CISSP, GSEC, ABCP > Security Specialist > 44 W. Douglas Dr. > Saint Peters, MO 63376 > Office: 636.279.2206 > Home: 636.278.8004 > > > > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus Security > Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security > vulnerabilities please see: > https://alerts.securityfocus.com/ > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Wed Sep 18 2002 - 19:29:18 PDT